Print this page
19 Oct 2015

Removing Obsolete Cipher Suites from vRealize Hyperic

So, you've done all the hard work to change your Hyperic Server certificate (or not). Now you browse to your Hyperic server's management page via HTTPS on port 7443 and you're presented with this uninspiring message from your browser:

 

 

Although this looks rather serious, it's not and it's simply because Firefox and Chrome have now removed support for Cipher suites that make use of the Diffie-Hellman key exchange mechanism due to the protocol being obsolete and insecure.  

Note: If you're an administrator that hates SSL certificates and everything about them, you might want to consider doing what I did. I hated them too once upon a time. Then I realised that the reason I hated SSL was because I knew very little about SSL/TLS. Because I knew very little about SSL/TLS, I always got tripped up with issues like these, issues that just got in my way of getting the job done. So to address that problem, I decided to study SSL/TLS (the're the same thing really) and in particular OpenSSL. Do yourself and your career a favour and get a book called "Bulletproof SSL/TLS" by Ivan Ristić. Buy the book and study it thoroughly. You'll probably find that the subject is far more interesting than what you currently think it is and all will suddenly look much less complicated.

Before making any changes in a production environment, always test the process in a development or pre-production environment to ensure that the changes do not affect anything on your deployed Hyperic agent configuration. By default, changing cipher suites in a sensible manner (don't remove everything and certainly don't add any new ones in manually unless told to do so by VMware support), but it's better be safe than sorry. I do not accept any responsibility for anything that goes wrong in your environment as a result of changes made.

So, back to fixing our issue. In order to fix this, we need to remove the unsupported cipher suites from the Hyperic server configuration. This can be done by changing the "ciphers" line in /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml (In the default server.xml, the line should be in the area around line 33). Before making changes to the configuration file, always make a backup copy of the original.

1. Make a backup copy of /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml 

cd /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/
cp ./server.xml ./server.xml.original.backup

2. Edit the file /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml

vi /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml

Find the Ciphers line:

ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

We need to remove any suites that contain DHE, but RC4 is also obsolete, so remove them as well. That essentially leaves us with two suites remaining:

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

3. Save the file and exit the editor

 <ESC> :wq

4. Restart the Hyperic server

/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh restart

Written by  0 comment
Last modified on Monday, 19 October 2015 17:08
Rate this item
(2 votes)

Latest from Rynardt Spies

Related items